US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei
By: Charles Rollet, Published on Apr 08, 2020The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua, Hikvision, and Huawei video surveillance.
DoD: "We Can No Longer Do Business" With Companies Using Banned Products
On March 26, speaking at virtual conference GovCon, the Chief Information Security Officer (CISO) for DoD Acquisitions, Katie Arrington, stated:
in August of 2020, if any of our contractors in the Department of Defense or our industrial base have Huawei, ZTE, or Hikvision video surveillance cameras, or telecoms, we can no longer do business. [emphasis added]
This extends the government's actions much farther. The first year of NDAA action simply prohibited the US federal government from buying or using banned products. Now, the second year (starting in August 2020) extends that ban to anyone who wants to do business with the federal government.
The video, in which Arrington also emphasizes bringing the supply chain home, is embedded below:
Arrington Background
Arrington is the top cybersecurity official for DoD's vast acquisition department, serving "as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment, OUSD(A&S), to align acquisition cyber strategy" per her conference bio.
DoD Response: Dahua Users, Substantial Components Included
DoD spokesperson, Lt Col Mike Andrews, confirmed to IPVM that Arrington's comments included Dahua as well, noting: "her comments applied to each company covered by the statute (section 889)."
The DoD also confirmed that products containing Huawei as an 'essential component' would also be included in this move:
As written, the statute prohibits procurement of any equipment, system, or service that uses covered equipment (i.e., equipment or services that incorporate Huawei et al. components) “as a substantial or essential component of any system or as critical technology as part of any system”, unless an exception applies or a waiver is granted. [emphasis added]
As IPVM has covered, there is no doubt that a HiSilicon system-on-a-chip counts as a "substantial or essential component", with a House Committee spokesman previously stating:
If a company has an end item with HiSillicon chips that they sell to anyone, they will be unable to do business with the federal government.
Remarks Show Government Is Serious About Blacklist
IPVM has been closely watching the implementation of the NDAA ban's 'blacklist clause', technically called (a)(1)(B) of Section 889.
This clause has caused significant concern due to fears that it will blacklist every Hikvision, Dahua, and Huawei HiSilicon chip user from selling to the US government. These users have hoped that the Trump administration would water down the rule as actual implementation details are drafted.
However, Arrington's comments are the latest proof that the federal government intends to apply the law thoroughly and as it was originally intended. (See IPVM's first report on this issue: Sell Dahua or Hikvision At All, Banned From Selling to US Federal Government). Last month, the White House also indicated it would use a "broad interpretation" of the blacklist clause.
Coronavirus Means Higher China Supply Chain Scrutiny
While the coronavirus crisis could lead to a delay in the blacklist clause's implementation, it is also sparking intense US scrutiny on China supply chains, with Arrington stating:
If COVID-19 has shown us anything, getting our own supply chain, making sure that we are taking care of home first is crucially important to our national defense
Meanwhile, the coronavirus is renewing US-China tensions, with the PRC accusing the US military of releasing the virus. These factors certainly do not favor a softer US approach.
Key Details Remain Unknown
Nevertheless, key details remain unknown about the blacklist clause, including how the federal government will interpret the NDAA language which bans someone who "uses" covered equipment, i.e. is an integrator who once installed Hikvision cameras in a bowling alley considered a 'user'?
IPVM expects more clarity on this issue in the coming months. These details are still being discussed, with a government meeting being held on the topic on March 2. Currently, the latest update is that a (non-public) draft of the clause is under review at the Office of Information and Regulatory Affairs (OFPP) in the White House's Office of Management and Budget (OMB).
DoD No Comment on Further Details
DoD told IPVM it could not give further comment on blacklist implementation details as the Federal Acquisition Regulation is still being written:
A FAR case implementing the prohibitions of 889(a)(1)(B) [the blacklist clause] is also in process, which will further impact DoD procurement. When a FAR rule is published, it will include additional information about interpretation of the statute, and the public will have an opportunity to provide comments. We [are] unable to further discuss any pre-decisional information regarding interpretation of 889(a)(1)(B) until a FAR rule is published.
SIA No Response
The US Security Industry Association, who represents Dahua, Hikvision and many of their US partners did not respond to our requests for comment on the DoD's statements to IPVM.
SIA has pushed against a tough interpretation; e.g., at a March 2 meeting, SIA gave a presentation warning of "vague language" and "a significant negative economic impact".
Conclusion
It's clear the US government is taking a firm approach towards Hikvision/Dahua integrators or those using equipment with Huawei HiSilicon chips. Any integrators who find themselves in this category should pay close attention if they want to do business with the federal government again.
2 reports cite this report:
Comments (25)
How are they (DOD) going to police this? How would they know if Integrator A did a small install using HIKUA? But use compliant gear on DOD installs? One would think that so long as they don’t advertise HIKUA on their company website they would be safe, no?
One would think that so long as they don’t advertise HIKUA on their company website they would be safe, no?
So you're not guilty if you don't get caught? It's certainly an option but you are exposing yourself to quite some risk. A company's competitors could report them. IPVM could report them.
I think many smaller companies will take this tactic but it's quite a risk if you are a large company with lawyers and audits, etc.
Is there any clarity on the use of Federal Funds (i.e. Non Profit Security Grants through FEMA) for banned equipment like Hikvision products? A security grant recipient is required to obtain multiple bids - what if they all contain banned products? With these grants, the states administer the funds to the recipients. What happens if the banned products are already installed because the state agencies who approved the proposals were not aware that it may be illegal to reimburse the non profits for the installation of certain made-in-China equipment? I just spoke to a state administrator in NM who was completely unaware of the proposed ban extending beyond Federal Government until I directed him to the IPVM site.
Hi Russ, good question. IPVM wrote a post about this in February (White House Proposes Blacklist of Dahua, Hikvision Users).
The Office of Management and Budget, which is part of the White House and manages the entire US federal budget, says it is drafting a regulation which will
prohibit Federal award recipients from using government funds to enter into contracts (or extend or renew contracts) with entities that use covered telecommunications equipment or services. This prohibition applies even if the contract is not intended to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services.
So that means any federal award recipient (grant or loan) would not be able to do business with an integrator using Hikvision, Dahua, or Huawei HiSilicon.
You asked about Non Profit Security Grants through FEMA. FEMA is part of the federal government (under the Department of Homeland Security) whose budget is directed by OMB. So FEMA will not be able to do business with those using covered equipment.
A security grant recipient is required to obtain multiple bids - what if they all contain banned products?
These bids simply won't be valid if they contain banned products.
Keep in mind the regulation is still being drafted, so we're not 100% sure if there will be any significant exemptions, although I consider an exemption allowing banned equipment if there's multiple bids highly unlikely.
You also asked:
With these grants, the states administer the funds to the recipients. What happens if the banned products are already installed because the state agencies who approved the proposals were not aware that it may be illegal to reimburse the non profits for the installation of certain made-in-China equipment?
The White House language is pretty clear. It intends to ban "Federal award recipients" from spending federal funds on covered equipment users. It doesn't matter if it's a state that's an award recipient, or a nonprofit, etc.
As for "what happens if the banned products are already installed?" That I don't know, but I expect more details when the White House releases its full draft regulation (2 CFR 200.216). IPVM will publish a post when that happens.
Any other questions, let me know!
Charles:
Great expansion on the topic and references to past articles and comment threads on the NDAA.
Those articles were before the new stimulus program that appropriates $500B to the SBA to administer stimulus checks to approved businesses that apply.
What is the consensus on how the NDAA and stimulus package would work together? Technically speaking, the NDAA is enforced by the DoD; who'd enforce non-DoD federally funded projects?
Hi, that's another good question, thanks for asking. First of all, Part B (the Blacklist Clause) is not being enforced until August 13, 2020 at the earliest, and that could be pushed back due to the pandemic. There's no indication Part B will influence how any of the current stimulus funding is being doled out.
However, if the pandemic continues to get worse and the White House sends new stimulus after Part B is in force, then yes, those using covered equipment may not be able to receive anything. To be 100% sure though, we still need to see the rule being drafted by the White House, and that hasn't been released yet.
As to who will enforce non-DoD federally funded projects, under non-pandemic times, there are a number of agencies doing this. Grants.gov (the federal government website for grants) states:
The Government Accountability Office (GAO), Office of Inspector General (OIG), and various departments within each Federal agency monitor and analyze policies, expenditures, and more activities within each grant-making agency. These same entities, as well as others, also monitor and analyze the performance of grant recipients.
However, COVID stimulus specifically is being overseen by the Special Inspector General for Pandemic Recovery. That is the former GSA watchdog Brian Miller who has been nominated by the Trump administration, but is currently pending Senate approval.
in August of 2020, if any of our contractors in the Department of Defense or our industrial base have Huawei, ZTE, or Hikvision video surveillance cameras, or telecoms, we can no longer do business.
Keyword- HAVE (verb) possess, own, or hold
I would interpret hold to mean "to trade, resell, or distribute". So this, to me, would mean the DoD could no longer purchase anything directly (or two-step, indirectly) from our industries distributors too (i.e. Anixter/Wesco, CSC, ADI, Graybar, Scansource, etc.). Would these distributors drop all black list lines so they can continue to sell Schedule 70, 56, etc.? Or would they be able to restructure their businesses and operate and do business with the DOD in compliance?
Or if a company's employee uses a TV, android box, or action cam that contains a Hisilicon chip? Not sure how common these are in North America. But these are even less likely to advertise the chipsets used in them than security cameras are.
Or if a company's employee uses
Nothing in the legislation or the statements from the US government has indicated any coverage of what someone personally uses, i.e., a JCI technician with a Hikvision camera at home.
Do we have any official document released by US Government to state the banning or blacklisting or debarring of Hikvison, Dahua & Huawei products for the US as end user ?
The US government hasn't banned these products for all end users. You can still buy a Hikvision camera in the US easily. It has only banned the products if the end users are government agencies. And by August 2020 (potentially later), any end user of these banned products won't be able to do business with the federal government. This is all laid out in Section 889 of the 2019 NDAA, a US government bill.
Does that make sense? If you need further clarification, let me know.
#4, thanks for your first comment. Below are excerpts from the 2018 US law (NDAA) full text passed on this:
Where can we get an official document from the US Government that if 2018 document still holds good ? We need a signed copy to certify this point !!
Here is the official page from the US Congress showing that it is law:
And here is the excerpt from that page that shows Dahua and Hikvision:
Does that help?
Dear John,
Can we get a link of this site to access this information ourselves. Also, can we write to somebody (email ID & Phone number) to get a response from US Government for the same.
I gave you the direct US Congress link in the comment you are responding to, here it is again Text - H.R.5515 - 115th Congress (2017-2018): John S. McCain National Defense Authorization Act for Fiscal Year 2019 | Congress.gov | Library of Congress
If you don't trust the literal source of the law, the video from the DoD nor the quote we have from the DoD, I am not sure how I can help you.
I take it this includes Hikvision dealers no longer have the ability to sale into federally funded entities. (Local school districts, cities and hospitals). I am calling out a few companies like Stanley, ADT, Eagle Eye, Anixter, and ADI. Can anyone get a list of Hikvision dealers?
How about all the OEM companies that Hik and Dahua supply? Does this apply to TVT, Sunell and uniview also? I am sure they use the same components.
If a "component necessary for the proper function or performance" of a camera is made by Hikvision, Dahua, or Huawei, then it is covered by the ban (see IPVM's report: Dahua, Hikvision, Huawei US Ban Rules Released.)
Since we know Uniview and TVT use mostly HiSilicon SoCs, they are already covered - thus it's not really relevant whether Hikvision and Dahua also supply components to them. (I'm not sure about Sunell's use of HiSilicon though, I will look into that and update.)
If Hikvision and Dahua supply "a substantial or essential component" (as spelled out in the NDAA) to other security camera manufacturers, then those products with the Hikvision/Dahua components are covered by the ban too. But Huawei HiSilicon is a more well-known risk since they make the SoCs of such a huge proportion of IP cameras.
what about integrators that have existing clients with Hikuawei cameras w/ warranties? will they still be able to service them w/ Hikuawei equipment?
Its look like someone has business with another Chinese or not company that didn’t involved to those mentioned. What the difference among with mentioned brands banned and the others Chinese manufactures allowed to work with? What happens for example with Chinese Drone companies where USA it’s the top best buyer?
The NDAA ban doesn't cover all Chinese firms - it only targets Hikvision, Huawei, and Dahua and "any subsidiary or affiliate" of those firms. (Hytera and ZTE are also covered by the ban but these are outside of video surveillance, so IPVM typically doesn't mention them.)
what is to stop the banned companies from manufacturing parts etc with slightly different configurations, branded differently, and sold to other approved mfg. Are we sending inspectors to china to determine who is xyz company?
what is to stop the banned companies
Cost, complexity, risk, etc.
Dahua and Hikvision only do ~5% of their global revenue in the US and do ~70% inside of China. It would be a lot of work and risk for that.
Also, IPVM maintains OEM directories that are widely referenced to help identify those who use Hikua, e.g., Hikvision OEM Directory, Dahua OEM Directory
Most Recent Industry Reports
